persistance cookie and SSL Certificate

Question

Hi, 
&nbsp;  
&nbsp; we would like to change the rule that have been implemented in the F5 to improve the load balancing of our servers. 
&nbsp; Our architecture is: 
&nbsp; We have 2 apache servers which are load-balacing 2 weblogic servers. 
&nbsp; On each apache servers we installed a cleartrust plug-in to be able to be authentified again Cleartrust. 
&nbsp; When you are successfully authentified by Cleartrust, Cleartrust set a cookie into the session. 
&nbsp; Currently our problem is all requests are coming from the same machine during 1 hour, they will always go to the same weblogic server. 
&nbsp; Or we would like to have a real round robin. 
&nbsp; I mean if there is 2 requests initiated by the same user on one machine, we would like that the request A goes to Weblogic Server A and the request B on the weblogic Server B. 
&nbsp; In addition the SSL is implemented at the load balancer level. 
&nbsp; So, can we use the cookie as a way to do this kind of round robin? 
&nbsp; Or/and do we have to use the SSL? 
&nbsp;  
&nbsp; Thanks in advance 
&nbsp;  
&nbsp; Best Regards 
&nbsp;  
&nbsp; Didier 
&nbsp;

hoolio · Answer

Hi Didier, 
&nbsp;  
&nbsp; What iRule are you using now?  Is the traffic through the virtual server decrypted on LTM?  Can you provide a simple diagram of the traffic flow including the client, apache servers, cleartrust servers app servers and LTM?  It's not clear to me which connections or requests you're trying to get better distribution for. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

naladar_65658 · Answer

To clarify a little... are you load balancing to two different apache web servers and then having each of those web servers pass traffic off to separate application servers? 
&nbsp;  &nbsp;

bosd_11235 · Answer

Hi, 
&nbsp;  
&nbsp; the rule that has been implemented is a persistance round robin with a time out of 1 hour. The round robin is dependant of the source ip. It means that if a user launch 1000 connections in less than 1 hour form the same machine, those sessions will reach the same weblogic server. Or i would like that the sessions would be dispatched between the 2 weblogic servers. 
&nbsp; To better understand the problematic, i join an architecture diagram. 
&nbsp;  
&nbsp; Thanks for your help 
&nbsp;  
&nbsp; Best Regards 
&nbsp;  
&nbsp; Didier

colin_walker_12 · Answer

So you're running into an issue due to the persistence you're using.  It sounds like you don't actually want persistence at all. You really want true round robin load balancing even when receiving repeat requests from the same client. 
&nbsp;  
&nbsp; If that's the case, why not just remove the persistence record? 
&nbsp;  
&nbsp; Or am I over simplifying? 
&nbsp;  
&nbsp; Colin &nbsp;

bosd_11235 · Answer

Hi, 
&nbsp;  
&nbsp; no we need to keep the persistance because if during a connection, the session goes from a weblogic server to an other, the user will be prompted by a login page. 
&nbsp; So during 45 minutes(which is the time out of the web application), the users requests have to reach always the same weblogic server. 
&nbsp; The cookie which is generated by cleartrust and put into the header of the web application is also valid during 45 minutes. 
&nbsp; The value of this cookie is different even if a user open multiple connections from the same machine. 
&nbsp;  
&nbsp; Best Regards 
&nbsp;  
&nbsp; Didier

Forum Discussion

persistance cookie and SSL Certificate

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Submenus missing in ASM Security Tab

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Related Content

Decoding the IPv4 address from the persistence cookie

How OneConnect Profile works with Cookie Persistence

Persistence Cookie Logging

Persistence Cookie Logger

Set the SameSite Attribute for LTM Persistence Cookies

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS